Re: [Re: AppSec FAQ at OWASP]

[Rohyt Belani <rohytbelani () hotmail com>]

In-Reply-To: <310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net>

An easier solution to prevent XSS attacks might be to HTML encode the "<" and ">" characters as &lt and &gt. So even if 
they are accepted as input from the user, it would not result in the execution of a script like 
&lt;script&gt;...&lt;/script&gt;.


> =E3=82=AA=E3=83=9E=E3=83=AB =E3=82=A4=E3=82=B9=E3=83=9E=E3=82=A4=E3=83=AB=
> <isumai-u () is aist-nara ac jp> wrote:
> > I would like to know that how you deal with the false positive?
> > In the case of " <img src=3D "javascript: preview(....)> or <img =
>
> > src=3D"javascript:window.close()>..etc..etc..
> > If you escape the "(" and ")" that means you render out the harmless =
>
> > Javascript too.
>
>
> I'm not sure if I've understood the issue, so pls correct me if I'm wrong=
> =2E You
> would not escape *every* '<' or '(' in the html page. You would only esca=
> pe
> those which come from user-supplied inputs in the first place. I assume t=
> hat
> the harmless calls to preview() and window.close() are *not* user supplie=
> d
> inputs, but part of the html page template. So, there shouldn't be false
> positives escaping '(' and ')' from content that came from user-supplied
> inputs.
>
> Thanks,
> Sangita.